Substack, the subscription-based publishing platform popular among independent writers and journalists, appears to have suffered a significant data breach, exposing the personal information of hundreds of thousands of users.
While the company has not yet issued a public statement, leaked notifications and activity on a notorious hacking forum suggest the breach is both real and serious.
The earliest known disclosure came from journalist Shannon Liao, who shared on X (formerly Twitter) a notification she received directly from Substack. The message, signed by CEO Chris Best, acknowledged that an “unauthorized third party” accessed limited user data, including email addresses, phone numbers, and internal metadata, in October 2025. The issue was detected on February 3, 2026. According to the company’s communication, passwords, payment data, and financial information were not compromised. Another writer, Lori Christian, confirmed receiving the same notice.
The notification indicates that the breach exploited a vulnerability in Substack’s systems, which has since been patched. Substack claims to be conducting a full investigation and has promised systemic improvements to prevent future incidents. However, the timing and content of the notification suggest that the data exposure remained undetected for several months.
Just one day before the notification was sent, a user going by the handle “w1kkid” posted on BreachForums claiming responsibility for leaking a dataset allegedly scraped from Substack. The post includes a CSV file titled substack.csv containing 697,313 user records. The leaked fields are extensive, including:
- Full names and email addresses
- Phone numbers
- User IDs and Stripe customer IDs
- Profile pictures and bios
- Subscription metadata
- Account creation and update timestamps
- Platform usage preferences
A sample of the data appears legitimate and includes records tied to journalists, professionals, and at least one US government-associated email address. Although the total size of Substack’s user base is larger than what’s reflected in the dump, the actor noted the data was gathered via “noisy” scraping methods and was quickly blocked once discovered.
Substack, founded in 2017, offers a platform for writers to distribute newsletters, podcasts, and video content directly to paying subscribers. It has become a key player in the creator economy, especially among independent media voices, and currently hosts thousands of newsletters across a variety of topics. Given its user base includes high-profile journalists, public figures, and industry experts, any compromise of user data raises serious privacy and security concerns.
As of this writing, Substack has not posted a public breach disclosure or provided information via its blog or social media channels.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
